Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."

It's probably safer too. Bittorrent is going to be a civil matter. Exploiting a hole in Apple's POS system to get free stuff probably qualifies as fraud and would bring criminal charges.

Random thought: Reminds me of the old days when you could create credit card "numbers" that weren't actually valid but passed the checksum test and use them to create AOL accounts. Kind of surprised that Apple wouldn't know better.

Random thought: Reminds me of the old days when you could create credit card "numbers" that weren't actually valid but passed the checksum test and use them to create AOL accounts. Kind of surprised that Apple wouldn't know better.

Why do you think Apple users don't use virus scanners or real firewalls?

Because, for the most part, nobody is really writing viruses for OSX, so protecting against them is largely a waste of time? Then again, if you don't download shady software on Windows, you're not going to have a problem with viruses, either...

The old 'viruses only target popular platforms' meme relies on the assumption that every platform is exactly secure as every other platform, and that is provably false.

Actually, I didn't say anything about viruses only targeting popular platforms. I said "for the most part, nobody is really writing viruses for OSX", which is true. There are far more viruses being written for Windows. I didn't attempt to explain the reason for that, though. It could be that Windows s more popular, or it could be, as you

I have no clue, access to BitTorrent, behind the Great Firewall of China. But from what I've read (horror stories) about net activities being traced and questioned, I'd use an illegal Apple Store access rather than BitTorrent.

"Yes, Comrade Prosecutor - tell me what I did wrong ripping off the imperialists," sounds like a better defense than, "I promise I wasn't looking at porn."

It took the Chinese only about 3 decades to become what U.S. government and corporations have been having wet dreams about for nearly a century - that is a largely autocratic and oligarchic corporate system that can count on socialist support from the federal government when it needs it, which is all the time. In the meantime the economists or the People's Worker's Party or whomever will dispense the priestly blessings of the socialist revolution or laissez-faire capitalism or whatever is in vogue at the time to the citizens, leaving the government and corporate entities to pursue the obvious and efficient solution for economic and national power. Capitalism vs. communism with regard to China is a false dichotomy. The US is probably on the way to whatever China is now, it's just taken us a lot longer to get there because we've had to spend an enormous amount of effort at keeping up the illusion of a representative democracy, while China has been autocratic pretty much all along.

...and all the ZeroConf code, the IOKit, LaunchD, all the Firewire library code from Zayante, CoreFoundation, the GCC Objective-C implementation, a lot of additions to SQLite, not to mention all the work they're doing on LLVM (which will finally end the dark ages of GCC).

"but we make more money as the amount of customers is growing rapidly."

Brilliant business model there, Taobao. I used to feel bad that Amazon's MP3 Service only worked inside the United States but now it's pretty clear: I doubt Apple will have much luck prosecuting anyone in this case whereas it would have been different had it happened on American soil.

I'm sure the Chinese government will help protect Apple's... hahahaha sorry, couldn't quite say that with a straight face. Seriously, we must look like ripe-for-the-picking rubes to places like China. They're sitting there with free copies of Vista, Adobe Suites and now cheap "legal" music. I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries while the status quo is free for the taking with no repurcussions.

The real comedy will happen when someone in China actually comes up with some IP that they want to make a buck off of. Hopefully an entire cottage industry will pop up in the rest of the world that's devoted to doing nothing but cranking out copies of whatever it is that China suddenly values, and even more hopefully that cottage industry will be named "Fuck You Chinaman, Inc.!"

I agree that would be funny. But the real comedy here is that nothing is actually being stolen here. What is really happening is that a new unit of currency is being counterfeited. But that currency is backed by value in digital media, which in and of itself is ephemeral and can be obtained by other means for free. What a bizarre situation.

No, there is no currency exchange going on, the 'gift card' tells iTunes to exempt you from paying for the tracks as you have already presumably payed apple for the gift card. Apple is still paying the artist 70% of the cost of the music being downloaded, and they are paying in real currency.

This comment is not just funny, it is silly and obviously from someone who knows nothing about China.

For one, the Chinese themselves come up with a lot of IP. This ranges from music productions to technical innovations (yes also that, believe it or not). And yes they are copied big time, even though the Chinese government does try to enforce the protection of this IP. And yes it does so much more vigilantly than the protection of foreign IP. Mind that many US and other overseas patents are not valid in China in the first place, patents after all are limited to the countries/areas where they have been applied for and issued.

If someone comes with a new product in China and has some success, everyone will jump on the bandwagon and make it as well. Even if there is no protected IP involved. If someone starts making plastic coffee cups for example, and makes a good buck out of it, dozens of other factories will spring up and do the same. They all copy one another.

If you come up with some innovation in China and you really want to keep it for yourself you will have to keep it a secret. Don't tell anyone how you do it. This is why many Chinese are very reluctant to show you their production lines, and often you won't get access there at all. Taking photos of machines is also something that many Chinese really don't like. At trade shows many booths also have a no-photo-taking policy because otherwise within a few days they will find their newly designed jewellery at half the price all over the place. At their neighbour's booth for example (not joking).

IP in China is as if there is effectively no IP. Everyone copies from everyone with impunity. There is little enforcement, and what enforcement takes place is largely showing off to the outside world, staged media events making it look like something is being done. China can as such be used as case study for what happens if IP would be abolished. And it is overall not a pretty picture.

You can't identify the illegitimate cards. Each individual card isn't kept track of. The bar code on each of them is more like the answer to a math problem. If you know how to solve the problem, you get in, no questions asked. The only thing they can do is change the math problem and eventually get rid of the old one as a valid question to answer.

ISBN numbers are made out of a series of numbers identifying the language, publisher, imprint and title/edition. The last digit is the mod 11 of the sum of the numbers, each multiplied by a weighting digit based on its position in the string. To make a barcode you have three different image patterns for each digit. The last six are all represented by type "R". The first one is not represented, except for defining a pattern of "L" and "G" types for the first six numbers, and enc

I guess it probably depends on how valuable Apple's manufacturing business is to China. I'm willing to bet that iPods, laptops and pretty every other physical item in Apple's line is significant enough for them to pay attention. Some people might get disappeared.

But really, maybe Apple has learned a lesson here. Don't just validate cards using an algorithm. Keep track of which numbers you've sold, same as a credit card issuer.

When it comes to international copyright it is no surprise to me that across borders people are far less inclined to respect copyright laws of another country.

It reminds me of something that I read once that stated that back in the 19th century before the US had established it's own home-grown authors and publishing industry, it was common place for Americans to simply copy and republish without consent the work of European authors and publishers. That was of course despite the constant complaints of European publishers and governments.

Of course eventually the US publishers had grown to a position where they themselves realized that they needed copyright in order to continue growing with the now booming local literature scene, hence the "true" birth of enforced US copyright.

(History repeating itself. Hmm, now how often does *that* ever happen - sarcasm)

Unfortunately I have no original sources to this 'tale', I would appreciate if anyone can either confirm or deny this with some evidence, as it is such a compelling story I would like to believe that it is true!

The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.

The paragraph in Wikipedia you got that from was a freaking disaster zone. Incomplete sentences, jumbled meanings, utter crap. (Mark Twain had to establish Canadian residency to have at least one of his works protected there. (That was in the linked article.))

I've (likely badly) fixed that up, using information from the linked article.

Wikinuts could say this shows the strength of the model, since I, Joe Nobody, was able to correct it. I can counter that with the fact that not even a mere copy editor wou

Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.

If the Chinese government doesn't start some kind of law enforcement, China is going to be a giant Black Hole. Blacklisting IP blocks from Chinese ISPs is the best thing I've ever done in terms of spam and malware control.

Wanna know how Chinese are able to go from design on a napkin to working product ready to ship in ONE month? They share, rip, mash-up, copy.
Here is one of the sites used by Chinese Engineers/Developers to share brainpowerhttp://www.pudn.com/ [pudn.com]

Apple would probably still make money since you a) bought an iPhone and b) solidified Apple's hold on music distribution online. Apple probably just laughed all the way to the bank, the same way Microsoft, Adobe and Autodesk are laughing all the way to the bank when their software gets distributed mer or less for free in thesemarkets.
Some markets are unreachable with western prices, so if you still want to be present on them, adjust your price. Close to free, is good enough.

Actually the hacked gift cards aren't close to free, they're negative income for Apple.

Apple still pays a share of the purchase price of each song to the record companies regardless of the payment method. Since they're not getting the income side with hacked gift cards, it's a net loss.

Furthermore, Apple (or the retailer, perhaps) takes an additional loss if a legitimate purchase winds up with the same card number and the user complains. I know I sure would.

This is a HUGE problem, I'm not sure what reasonable solution they're going to come up with. Knowing Apple they'll just beat up their fanbase a little more and cancel all the GC's or something. Ok, flamebait a bit but...i could see them doing that and just hoping their market domination in MP3 sales overcomes the bad juju.

More seriously, there's a good chance that if Apple does decide to change their key system that a lot of legitimate iTunes cards are gonna be rendered worthless.

Why did they even go with a system where the value of the card is written right on the card itself (even if it is encrypted), rather than one that everyone else seems to use? That is, a system where on one of Apple's servers somewhere, there resides a database with the giftcard ID and the balance of the card. Just guessing at exactly how it's done, but given that a Best Buy giftcard can be loaded up with any amount, and can be used without a magnetic reader, I think it's safe to say that the balance is no

I'd be interested to know what algorithm was being used for the keycards. Did Apple use a weak scheme, did someone leak the secret, or (most interestingly) has someone managed to crack a good encryption algorithm.

(Alas, I'd guess it's probably a weak scheme. As recently as two years ago I noticed a bike products retailer was actually using sequential codes for its gift cards)

I actually didn't think this would be possible.
In Australia, when you buy mobile phone recharge (extra credit to make calls), you buy a coupon which is only activated after its brought from an authorized dealer. Once the code is used, that code is useless.
It does mean that each retailer has to have some connectivity to base office, but it stomps out generating new keys as much as you want.

No kidding. The way this is explained makes it sound like if I pulled a stack of iTMS cards off the rack at walmart or whatever and walked out with them in my pocket, they'd all be valid and would work. I have a hard time believing that to be the case. There are hundreds of stores (both online and physical) that sell gift cards at other stores, I have a hard time believing that it doesn't generally work more like you describe, and I also have a hard time believing that Apple would have done it differently.

Sort of. As the previous poster was alluding to, if the card numbers are generated sequentially and stored on the card, all you need to do is know your number, add about 100, put that number on your card, and wait for it to be activated so you can use it. You don't have to access the main server: you just wait for your number to show up.There was a neato scam running a while back where people would steal piles of seemingly useless blank gift cards, record the number off the card into a database, put them back in stores, wait a month, then try and use the number. If the card had been activated but not used (a gift card sitting in a present or a wallet somewhere) they bought what they could as fast as they could.I assume companies now sell entirely blank cards, that are programmed at time of sale, rather than pre-enumerated cards merely being scanned for activation.

At Loblaw's our President's Choice gift cards need to be peeled out of the frame they are inset into, with backing. There's no way to get anything off of the card until then. Plus the frame holds the little hole so you can hang them on the shelf.

And phone cards all just have identical barcodes. The POS system then generates their activation code upon confirmation of payment, and prints it on their receipt.

Possibility 1:Apple doesn't use a database for cards, they use a hash even though that would be stupid.That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.Someone is generating and selling cards using that hash.

They HAVE to keep a database for the cards anyway, to keep track of every code that has already been used (can't have you using the same gift card twice now, can they?) How much harder could it be to keep track of every code that has actually been sold? But even then, there is a window of opportunity: if someone can guess your code between the time it is activated and the time you use it, then they've got your gift certificate and you don't. (This really IS stealing.) My advice to anyone who gets a gift certificate would be to use it as soon as possible. Personally, I feel gift certificates are stupid anyway -- why give somebody the equivalent of cash that can only be used at one store and which becomes worthless if that store declares bankruptcy, when you could just as easily give them cash, or a money order, or a check, or any number of other instruments that could be redeemed anywhere. I once received a gift certificate in a Christmas card that was delivered accidentally to my address, and I was able to go ahead and use it. Couldn't have done that with a check or money order, could I?

I said I was _able_ to go ahead and use it; I didn't say I _did_ go ahead and use it.

That's irrelevant. Based on the fact that you knew it was a Christmas card with a gift certificate in it the GP inferred that you opened the mail which was not addressed to you. Which is a no no [cornell.edu] (last paragraph).

You just admitted to comitting a Federal crime, son, and a Felony at that.

Mail fraud? Pssh. That's small potatoes. Back in my wilder days, I once kept the NYPD busy with various bomb threats, including a real bomb set off in a subway station near the NY Fed.

While the police were on a wild goose chase, my team of vaguely Germanic-sounding villains drove a dozen stolen dump trucks into the basement of the bullion repository in the basement of the Federal Reserve, loaded them up, and drove away with over $100 Billion worth of gold. How's that for admitting a felony online?

when the mail man messes up they don't open it (and there are exemptions somewhere to allow them to open it when required). If you receive something not meant for you then you should give it back to the post office, don't open it.

They don't have to keep a database of those used. They can just keep a counter, and allocate out ranges to other stores etc. Just like MAC addresses - all addresses are valid, but there is no central db and nobody keeping a db of all allocated, just a db of ranges and a counter. They would only need to track the use of a card on its first use.

why give somebody the equivalent of cash that can only be used at one store and which becomes worthless if that store declares bankruptcy, when you could just as easily give them cash, or a money order, or a check, or any number of other instruments that could be redeemed anywhere.

Maybe because they'd prefer to get a gift card? When I get cash, I feel like I need to put it in savings, use it responsibly, etc etc. A gift card to a restaurant or store I like to buy fun stuff in is permission to have fun with it. If you're giving them a gift with the intention of them having fun, a gift card says that clearly. Of course, not everyone feels the same way I do, but part of the point of giving one gift over another is knowing which one the receiver would like most to receive, rather than just which one you'd rather give...

Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.

Let's assume that Apple cryptographers are at least half way competent.

You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?

It should be easy for Apple (the holder of some secret key) to generate valid gift certificates, of any amount

It should be difficult for anyone else to generate valid certificates (of any amount)

It should be easy for anyone to verify the validity of a certificate.

I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.

To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".

Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.

I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet:p).

(proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)

Well, I personally know that InComm [incomm.com] is an authorizer to companies that sell iTunes cards at retail, and that unactivated cards have no value. No algorithm is used for those cards, other than the non-sequential generator (to prevent my_card_number+1 fraud.)

But I also know that TFA claims that an algorithm is broken allowing for virtually unlimited generation of cards.

So either TFA is either wrong or deliberately lying (improbable, but not impossible) or both the algorithm and on-line methods are being used by iTunes (neither particularly odd nor improbable.)

I think it may even be simpler. I went to the site and, though I couldn't understand the language, it seemed as though you had to buy the iTMS certificate with a credit card! So all they have to do is use your card (or in the more elaborate scenario a previous idiot's card) to buy your gift certificate. And they buy whatever else they want with it.

There is this strange concept called "rented apartment", I'm not sure if you have heard of it?Have all the goods delivered within couple of days, loaded on a truck and then make like a tree and get out of there.

Also, you could sell stuff directly to other people.Open up a store on ebay or amazon for real items - with an attractive discount.

- People come, pay you real cash over amazon or through paypal,- You buy items from somewhere on the internet using your stolen cards and mail them directly to your custo

When you buy goods (gift certificates) with stolen funds (credit cards) so you would sell those goods to a third party and thereby make a profit - THAT IS money laundering.

And just imagine such a crazy scenario where they would spend not just $200.00 at a time, but drain the entire card to buy items such as jewelry, luxury items, or even iPhones or iPods - anywhere else on the internet.You know... items that can be sold almost immediately if you sell it for a right price.Or if you use ebay or amazon to sell

The other side to this is that when a legitimate customer buys a card that's code has already been found using a keygen their card won't work, I hope Apple has a refund system. The joys of security through obscurity in action.

If I were to buy some of these giftcards, apple could absolutely terminate my account, I would expect that, but am I breaking any laws? This doesn't seem to be "breaking in" to anything (although I'm sure a judge would see it that way) so is it still considered some sort of cyber-trespass?

Doesn't this fall in to the same category as "the vending machine gave me an extra candy bar. I told the maintenance guy, but he didn't care". What if you even went as far as t

In UK law, at least, which is what 90% of the world base their law systems on:

Very simple. It's fraud. They are *fake* cards, issued by a forger. Thus, you can be charged with fraud, or similar offences. Possibly even handling stolen/counterfeit goods, *whether you knew they were fake or not*! It's no different to faking a cheque, or a credit card. In the US, crossing state boundaries with such things can be a federal offence, so if you're not in the same state as the Apple store, it gets even worse.

If you have the *suspicion* that they are fraudulent and / or a reasonable person would suspect them to be fraudulent (by the *court's* definition of reasonable, not yours), you can quite easily be convicted for fraud, or facilitating fraud, or breach of contract (technically a bad cheque is breach of contract and by trying to pass off this card with a retailer, you are saying that it is genuine, hence the sale could be seen as a breach of contract once they find out the money doesn't actually exist - thus they can happily charge you with fraud for the transaction AND breach of contract for failing to pay for the goods another way). It would *not* be as simple as "I just got them from some website." If a reasonable person would have had suspicions, you can *easily* be convicted - it's like saying that this gentleman knocked on the door selling an expensive in-car audio system with the wires cut and dangling, for a pittance. Whether you thought he was genuine or not, you SHOULD have known that he wasn't (just by the price, if nothing else), thus you can be found complicit in the fraud.

Notification of the breach would certainly work in your favour but isn't an automatic get-out clause. Chances are they would pass it over but ask at which point you became suspicious, where you got it from etc. and expect you to co-operate fully. Don't and those fraud charges pop up but now they know exactly who to aim them at... you.

Cyber-nothing. It's fraud, plain and simple, no better than making up credit card numbers and using them to buy things on Amazon. You're not the rightful keeper of any funds that you do manage to get authorized, so you're into theft (if someone can prove that *they* were entitled to the number on the card you used), fraud and maybe even counterfeiting if you can't point out where you got them from. Now, considering that Apple are both the issuer AND the recipient of the cards in question, they have a very good reason to prosecute. You've effectively stolen a credit card and then used it to pay your other Visa bill.

If they're going to pirate, why do they bother paying $2 to a crook to get music with DRM which they could get for free from BitTorrent? The only advantage iTunes has over piracy is that it is legal - so what's the point of ripping them off with a fake gift card?

Even ethically, that way they'd at least not be supporting the criminal industry like the RIAA is (in this case accurately) claiming.

Thanks very much for those links, they're really, really useful! Full of technical detail on the algorithm used.

For instance, check out these facts in the article Lars T linked to:

* The following letters and numbers can look very similar: The letter A and the letter H
The letter B and the number 8* Apple Gift Cards can be purchased from the Apple Online Store in any amount between $25-$2500* To report a lost or stolen Apple Gift Card, please co